Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:45 PM
Connect Directly

New Secure Online Check-Out Tech Goes For Less Friction, More Biometrics

BioCatch, Zumigo, and Alibaba release tools to help merchants avoid those pesky charge-back costs.

While point-of-sale systems at brick-and-mortar stores continue to be a rich feeding ground for data-hungry hackers, some merchants are at least beginning to take the security of their online shops seriously. The altruistic goal of protecting customers might not provide enough inspiration, but the goal of avoiding the costs of expensive charge-backs on fraudulent purchases does.   

Yet, retailers are historically resistant to increased authentication and authorization measures, because they increase "friction" -- meaning, they make the purchasing process longer and more complicated for the buyer, thereby making the buyer more likely to give up and go elsewhere.

Fortunately for those merchants, the industry has released a few new security tools over the past week that aim to improve security without increasing -- perhaps even reducing -- customer friction. 

BioCatch e-Commerce

This week, Israel-based startup BioCatch expanded the e-commerce offering of its "passive biometrics" technology. The technology collects behavioral data from a user's endpoint input devices -- keyboards, mouses, accelerometers, etc. -- and paints a picture of the user's very unique, but completely unconscious habits. As DarkReading explained in an interview with BioCatch in July: 

They capture physiological behaviors like whether the user is left-handed or right-handed, the duration of their hand tremor, the size of their finger press, their hand-eye coordination, and their muscle structure. They capture cognitive indicators like how a user scrolls through a screen -- do they click the mouse, click and drag the mouse, use the arrow keys, use page up and page down, etc. -- how they interact with certain applications, and how they move the cursor -- quick and direct, slow and circuitous, curving up, curving down.

Then the BioCatch application issues "invisible challenges." The application may speed up or slow down how fast a selection wheel moves, or nudge a cursor in one direction, or create a "force field" that requires a user to press a touchscreen more firmly, and then see how the user responds.

All of those factors are combined into a "cognitive signature," which can then be used for "passive biometric" authentication or fraud detection.

This technology is particularly good at spotting the difference between a human being and a robot, or one human being and another. 

The company says the e-commerce solution can also be used to tell the difference between regular behavior and criminal behavior.

“When making purchases online, fraudsters behave differently than legitimate consumers. Whereas most of us take some time to adjust to a site’s specific checkout process, fraudsters breeze through it with a high familiarity level because they have done it tens or hundreds of times before,” said Uri Rivner, VP Cyber Strategies and Co-founder at BioCatch.

Smile To Pay

Last week, Alibaba both introduced a new biometric authentication mechanism to the payment world and tried to bring some joy to the task of parting with one's money, by announcing Smile to Pay.

Alibaba founder Jack Ma demoed the product at the CeBit conference in Hanover, Germany. The details thus far are minimal, but the gist is, when a purchaser presses "buy," a facial recognition interaction is initiated; essentially the buyer completes a purchase by holding their phone up for a quick selfie.

The name Smile to Pay is appropriate when buying gaming systems or new shoes; less so when paying exorbitant mobile phone bills, but don't worry -- you don't actually need to smile. 

Smile to Pay is being tested by Ant Financial, an Alibaba affiliate that uses the Alipay oline payment system. Alibaba plans to roll-out the service first in China.

Zumigo Assure Payments 

Zumigo released a new tool this week, Zumigo Assure Payments, to improve verification of identities of buyers making purchases from mobile devices.

Partnering with mobile operators and Equifax, Zumigo can check the billing records of the mobile device being used to conduct the purchase, and check to see whether or not the identity of the mobile user and the identity on the buyer's payment card match. If they do, it's a lower-risk purchase; if they don't, it's higher-risk.

The Zumigo tool also zeroes in on the real-time location of the mobile devices, compares them against the IP address, and the shipping/billing addresses of the buyer. The closer the match, the lower the risk.

While the partnership with the mobile operators could reduce fraud, customers and privacy advocates may balk; it could be seen as another case of mobile operators playing fast-and-loose with customers' identity and location data.

Yet, privacy complaints may go ignored, if both security and convenience are well served. Last week, Facebook built upon its Messenger app -- which has also been criticized by privacy advocates -- to create a peer-to-peer payment application for Messenger users to send money to one another directly.

According to data released today by SecurityMetrics, six out of 10 merchants still store, unencrypted, payment cards' 16-digit primary account numbers. Further, 7 percent store the full magnetic stripe data, including PAN, cardholder name, expiration date, CVV, PIN, and service code. With data like that floating around, new payment security technology can't come soon enough.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
3/25/2015 | 11:58:45 AM
Smile to Pay is a clever marketing strategy, I must say. As we know, the more brick-and-mortar PoS gets locked down, the more the bad guys will redirect attacks to ecommerce shopping. 
User Rank: Apprentice
3/24/2015 | 11:50:54 PM
I don't do selfies
I'll just shop somewhere else if a store wants me to send a selfie with my payment. As for Zumigo, will we be aware that the merchant using this has access to our mobile billing records? It's terrifying that merchants have records of so much of our credit card information, there for the hacking. Our information is not any safer with online merchants either.
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-14
An invalid free in Thrift's table-based serialization can cause the application to crash or potentially result in code execution or other undesirable effects. This issue affects Facebook Thrift prior to v2021.02.22.00.
PUBLISHED: 2021-04-13
A UXSS was discovered in the Thanos-Soft Cheetah Browser in Android 1.2.0 due to the inadequate filter of the intent scheme. This resulted in Cross-site scripting on the cheetah browser in any website.
PUBLISHED: 2021-04-13
The Motorola MH702x devices, prior to version, do not properly verify the server certificate during communication with the support server which could lead to the communication channel being accessible by an attacker.
PUBLISHED: 2021-04-13
A privilege escalation vulnerability in Lenovo Power Management Driver for Windows 10, prior to version, that could allow unauthorized access to the driver's device object.
PUBLISHED: 2021-04-13
A null pointer dereference vulnerability in Lenovo Power Management Driver for Windows 10, prior to version, that could cause systems to experience a blue screen error.